We’ve shrieked hysterically about Google’s smart thermostat – Nest – before, likening it to sci-fi horror where remote companies watch your every move, before ultimately singing ‘Daisy Daisy’ while trying to oversee your untimely death.
We might be overdoing it a bit. However, what doesn’t help, is that Nest has a camera that watches you in your home, and a team at ABI Research found that, even when the camera is “off,” it still draws around the same amount of info it does, as when it is fully powered.
Basically, you might think you’ve turned it off, but you haven’t. Kill it with fire. Or throw some undercrackers over it.
A spokesperson for Nest Labs told the BBC: “When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time.” So, standby mode then. Either way though, this is an ‘always on’ camera in your house, and this is Google (or Alphabet if you prefer) we’re talking about here. A company that not only wants to watch you at home, but also wants to store your DNA through the chilling 23ANDMe wing.
The Nest spokesperson continued: “When Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings.” While that may do for some, there’s going to be concerns over Google storing hours of footage of you at home in their cloud. Imagine the outpouring of hate that’ll happen if their servers get hacked.
If you’re still a TalkTalk customer after that hack (and didn’t bother with this letter of cancellation), then you will be able to pick from a bunch of freebies by way of apology from the company.
Over 150,000 customers and around 16,000 bank account numbers will be getting an upgrade from the 1st December, which means you can add one of the following to their existing services: TV content including movies, kids entertainment and sports; a mobile SIM with a monthly allowance of free texts, data and calls; unlimited UK landline and mobile calls; or a broadband health check. Very few will be choosing the latter, we suspect.
TalkTalk’s chief executive Dido Harding, said: ‘TalkTalk takes the security of customers’ data extremely seriously and we are taking significant further steps to ensure our systems are protected, as well as writing to all our customers outlining what we are doing to keep their data safe.”
“In recognition of the unavoidable uncertainty, and because we know that doing what is right for our customers will ensure the best possible outcome for the company over the longer term, we are today announcing the offer of a choice of free upgraded services to all our customers.”
Seeing as fewer people were affected by the hack than first thought, TalkTalk will be relieved, and now all their customer-facing sales and service channels are back in full swing. However, there’s still no hiding from the fact that the company has been hacked three times within the last 12 months, which is dreadful form.
There’s still going to be a parliamentary committee investigation into the whole thing, which will be kicking off later this month, and the hack has reportedly seen 200,000 customers jumping ship.
More on the upgrade over at this TalkTalk page.
For a slightly longer answer, May thinks that some websites are ‘safe havens’ for criminals, and now she wants to see new laws which give authorities the chance to access everyone’s information. It looks like she’ll want to get rid of encryption, and that all your internet history would be recorded, so authorities can look at it whenever they want, without having to get permission from anyone. They want to keep everything you do online, on record, for a year.
They also want to be able to see who you’ve texted and emailed too. If your messages are encrypted, the company keeping your messages private, must hand over data to authorities if asked.
With the hacks and leaks that have been doing the rounds lately, there’s just concern about anyone holding all this private information on everyone with an internet connection.
The draft bill underlines a want for powers for the bulk collection of large volumes of communications and other personal data by MI5, GCHQ, MI6, and for the introduction of “equipment interference powers”. This all means that computers and phones can be hacked whenever they want, in the name of national security.
Of course, the stupid thing here, is that actual criminals won’t be arranging serious crimes on Facebook Messenger or anything like that, so it looks like they just want to snoop on everyone else, which is going to worry many. It won’t worry the kind of people who say “well I’ve done nothing wrong, so they can look through all my stuff if they want”, but you can’t do anything about those people.
The Home Office has published the Investigatory Powers Bill in the House of Commons, which means it’ll be examined both Houses of Parliament. There’ll be a final vote on the whole thing at some point in 2016. We suspect there’s be some legal action thrown at the government before then.
How To Stay Anonymous Online
If you want to browse the internet anonymously, the first place to start is with the free Tor Browser. We won’t bore you with the ins-and-outs of the whole thing, but basically, it puts your web traffic through Tor’s network, and makes it anonymous and encrypts the shit out of it. It isn’t wholly anonymous, but it isn’t far off.
You can send emails through web services in Tor Browser too, but you’d need an email account that doesn’t reveal any personal information about you. One to look at is Guerrilla Mail.
As for instant messaging, there’s Pidgin, Wickr, and Tor who have just released their own. You know how to work a phone or search engine, so get on those. As for your phone itself, there’s an app called Orbot that runs Tor on Android.
If you want to set up a VPN (Virtual Private Network), then click here for a VPN how to guide. There’s loads of tutorials online, if you want to vanish from the eyes of the government.
Vodafone are the latest to fall victim to a hack, with nearly internet scallies getting access to around 2,000 customers’ details. We hope that the hackers aren’t doing this for attention, because we’re kinda bored by all these hacks now – they’ve lost their edge somewhat.
Anyway, Vodafone said that 1,827 accounts have been accessed, and they fear that criminals have customers’ names, mobile numbers, bank sort codes and the last four digits of their bank accounts, which is no good.
A Vodafone spokesman said: “This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone. Vodafone’s systems were not compromised or breached in any way.”
Vodafone started an investigation over the weekend, and have informed the National Crime Agency, Ofcom and the Information Commissioner’s Office. They’re not mucking about, like TalkTalk have been (and if you’re unimpressed with TalkTalk and want to leave them, check out our letter template so you can get out of your contract).
“Whilst our security protocols were fundamentally effective, we know that 1,827 customers have had their accounts accessed, potentially giving the criminals involved the customer’s name, their mobile telephone number, their bank sort code, the last four digits of their bank account,” continued Voda.
“Our investigation and mitigating actions have meant that only a handful of customers have been subject to any attempts to use this data for fraudulent activity on their Vodafone accounts. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts. These customers’ accounts have been blocked and affected customers are being contacted directly to assist them with changing their account details.”
As well as telling all the relevant authorities, Vodafone have also contacted all the banks of affected customers. Even if you think Vodafone are run by a bunch of gits, this is a fine way to deal with a crisis compared to some of their peers.
Visa, Sky TV, Amazon and Ticketmaster, are also being targeted – busy time for the hackers, eh?
Crib notes from it, or cut-and-paste the whole thing. Of course, they might try it on and aim to fine you for leaving your account early, but if you’re willing to stick at it, they should let you go.
Send your letter to: Customer Relations Department, TalkTalk Group, PO Box 346, Southampton, SO30 2PW
You’ll be giving them 14 days to reply and sort this out, which is the law. If they don’t, you can cancel your direct debit with them as they’re in breach of contract and indicate that they’re acceptance of your terms within the letter.
Give ‘em hell!
Letter Template To Cancel TalkTalk Account After Data Breach
Dear Sir or Madam,
Account number: [account number here]
It is clear that you, TalkTalk, are in material breach of these clauses and, with the hack in October 2015 being the third on TalkTalk’s systems within a year, this represents a clear failure to secure my details. You have failed to take the agreed safeguards and have failed to secure my, the customer, personal details, which has resulted in my personal information being exposed to third parties who do not have consent from myself.
As a result, I want you to terminate my contract without any penalty. I will insist that you send written confirmation to me that will allow me to move to a new provider, without cost, within 14 days of receiving this letter.
After the 14 day period, you will receive no more payments from me, and should you proceed to harm my credit over non-payments, I will be forced to take further legal action over any costs accrued.
[print name here]
[write account number again]
Now, British Gas are the latest to get in on the act, and have had to get in touch with around 2,200 people after account passwords and email addresses appeared online. The company say that their systems are secure and no payment info is at risk, but still, this doesn’t look very good does it?
The details of this leak will now be sent over to the Information Commissioner’s Office, so they can investigate what’s going on.
British Gas posted on Twitter: “A small number of customer details briefly appeared online but our systems are secure.” The follow-up email states that the information had not come from the company themselves.
Next week, we assume we’ll be writing an article about a massive bank keeping customers’ personal details in a brown paper bag which they’ve hidden behind a plant-pot, and a massive supermarket that keeps customer data safe behind a chocolate fire-guard.
Now, M&S said that no-one’s details were compromised by the ‘internal technical problem’, but they said sorry, given that everyone is particularly jumpy about such things at the moment. Some people said they logged in and could see other people’s orders and payment details.
A spokesperson for M&S said that the whole thing was a “technical issue” and that customers may have been able to see the last four digits of another person’s payment card “for a brief moment”, but the actual card details are encrypted, so there’s no need to worry.
“There were no financial details compromised at all,” the spokesperson said; “We weren’t hacked by a third party. It was an internal technical problem.”
Another spokesperson added: “Due to a technical issue we temporarily suspended our website last night. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused.”
This is all a bit embarrassing, seeing as there’s likely to be a number of new customers signing up to the site, thanks to the Sparks scheme.
TalkTalk customers have had their personal information hacked in what the police are calling a “significant and sustained” cyber-attack on the company’s website. This is the third data breach in a year for TalkTalk.
“We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed,” said TalkTalk.
The company’s chief executive, Dido Harding, said: “We take any threat to the security of our customers’ data extremely seriously, and we are taking all the necessary steps to understand what has happened here.”
The way TalkTalk has been handling this has angered some customers. Looking through Twitter, it seems that TalkTalk’s customer service lines have been downed by the volume of people trying to get answers about what exactly has gone missing.
One of the things that will worry TalkTalk customers, is that the last time they were scammed out of money after a hack, TalkTalk refused to accept any liability, and blamed one victim for being tricked. They said, after one of their customers was scammed out of nearly £3,000, that because the customer gave details to the fraudster, he was “validating and authorising the transfer of funds”.
So what about this hack? Well, TalkTalk said that it is possible that credit card and bank account details could’ve been swiped, as well as personal info like names, addresses, dates of birth, email addresses and telephone numbers. Here’s the kicker – TalkTalk have said that “not all of the data was encrypted” but that they think “our systems were as secure as they could be”.
Basically, customers need to keep an eye on their accounts and keep checking for any odd behaviour or payments being made from it. If you do see something odd going on, you need to report it to ActionFraud. Obviously, like always, if anyone rings you up asking for your passwords and the like, tell them to piss off. No legit business ever asks for your passwords and bank details.
Until then, wait for TalkTalk to get in touch and they should tell you more in due course.
UPDATE: TalkTalk is pointing customers in the direction of a special site if there are any questions: http://help2.talktalk.co.uk/oct22incident. If you’d prefer to ring someone, then the number is 0800 083 2710, or 0141 230 0707, but remember, they’re likely to be extremely busy today.
UPDATE 2: Ebuyer.com have published some figures to show how many people were supposedly affected. They’ve said:
- less than 1.2 million customer email addresses, name and phone numbers
- less than 28,000 obscured credit and debit card details
- less than 21,000 bank account numbers and sort codes
- less than 15,000 customer dates of birth
Apple have gone and told a judge that getting at the data stored on a locked iPhone would be ‘impossible’ (provided the device is using the latest operating system). Sounds like someone throwing the gauntlet down to us.
Anyway, they made this claim after a federal magistrate judge wanted Apple’s opinion as the court looked at a request to force the phone makers to give a hand to authorities who wanted to access a seized iPhone that was part of an investigation.
Apple reckons that 90% of their devices that are running iOS 8 or higher would be impossible to get into, after they bolstered encryption. The latest device has a feature that stops people getting at data if they don’t have the passcode. That includes Apple themselves. Although, we reckon there’s a few shops on the high street who will still have a go at getting into it, for a small fee.
This of course, followed the Edward Snowden leaks, when everyone started getting really jumpy about personal privacy and security.
Apple told US Magistrate Judge James Orenstein that they can access the devices which are still running older systems, but Apple think that this is around 10% of their users.
“Forcing Apple to extract data in this case, absent clear legal authority to do so, could threaten the trust between Apple and its customers and substantially tarnish the Apple brand,” said Apple’s lawyers.
The biggest online pharmacy in the UK has been slapped with a £130,000 fine after they sold patients’ personal data to scammers. Those scam artists then targeted people who are vulnerable and sick, which is just great.
Pharmacy2U (P2U) was hauled in by the Information Commissioner’s Office (ICO) after it was discovered that they’d been giving names and contact details for people who had bought prescriptions and remedies from their site, through their Alchemy Direct Media company. It turns out they’d illegally sold the personal data of more than 21,000 NHS patients and P2U customers.
You’re supposed to get people’s permission before you sell their personal data – they did not.
It might be an idea to run a quality control over who you’re selling it to, which this lot clearly didn’t do, as one of the companies that bought the data were lottery fraudsters, who then went after pensioners with chronic health conditions.
Over 100,000 customer details were advertised for sale on the database, which actually broke people down into categories, such as detailing which people had Parkinson’s disease, or which ones were over 70.
ICO deputy commissioner David Smith said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.”
“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”
“Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable”
Daniel Lee, managing director of P2U, said: “This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.”
“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.”
Apple are giving the boot to a number of apps that collect personal data, which are in violation of the company’s privacy policies. They made the announcement after they found hundreds of applications using Chinese ad-software that extracts “personally identifiable user information.”
“We’ve identified a group of apps that are using a third-party advertising SDK (software development kit), developed by Youmi, a mobile advertising provider, that… gather private information, such as user email addresses and device identifiers, and route data to its company server,” said Apple.
“This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.”
“We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
Of course, Apple aren’t getting rid of all companies who collect personal data on iPhone users, or they’d have to get rid of Google, Facebook and of course, themselves.
Anyway, the company don’t allow third-party apps to share data about a user without obtaining the users’ explicit permission. That means they reject apps that require users to share personal ID like your email address or your birth date. Apple’s researchers found 256 apps (which had been downloaded a million times, give or take) that had the version of Youmi which violates user privacy.